# roles/vault/tasks/main.yml
---
- name: Create vault user
  user:
    name: vault
    system: yes
    shell: /bin/false
    home: /opt/vault

- name: Download Vault binary
  get_url:
    url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
    dest: /tmp/vault.zip
    mode: '0644'

- name: Extract Vault binary
  unarchive:
    src: /tmp/vault.zip
    dest: /usr/local/bin/
    remote_src: yes
    owner: root
    group: root
    mode: '0755'

- name: Create Vault directories
  file:
    path: "{{ item }}"
    state: directory
    owner: vault
    group: vault
    mode: '0750'
  loop:
    - /etc/vault.d
    - /opt/vault/data
    - /opt/vault/logs

- name: Generate Vault configuration
  template:
    src: vault.hcl.j2
    dest: /etc/vault.d/vault.hcl
    owner: vault
    group: vault
    mode: '0640'
  notify: restart vault

- name: Create Vault systemd service
  template:
    src: vault.service.j2
    dest: /etc/systemd/system/vault.service
  notify:
    - reload systemd
    - restart vault

- name: Start and enable Vault service
  service:
    name: vault
    state: started
    enabled: yes